Google Users Who Want to Use 2-Factor Protections — But Don’t Understand How

In my “Questions I’m Asked About Google” #1 live video stream ( a few days ago, I emphasized the importance of protecting Google Accounts with Google’s excellent 2-factor authentication system.

In response I’ve received a bunch of queries from Google users who do not understand how to set this up or use it, even though they very much want to.

These concerns fall into a number of categories. Even though I explained that it’s safe to give your phone number to Google — Google won’t abuse it — many users are still resistant, and note that they do not see a way to activate Google 2-factor protection for other authentication mechanisms (e.g. Google Authenticator App and/or Backup Codes) without first providing their phone number information.

Others want to use their existing (non-Google) mail programs after activating Google 2-factor, but are utterly confused by Google’s “application-specific passwords” system that is required to do so.

When you’re trying to get users to take advantage of the best possible security, and have successfully convinced them that this is a good idea, but your documentation is still written in a way that many non-techie users dependent on your services cannot readily understand — you have a serious problem.

Despite positive strides at Google in terms of help center and other documentation resources, Google is still leaving vast numbers of their users behind.

Google can do better.


White House Releases Transcript of Trump and Comey Dinner Meeting
Brief Thoughts on a Google Ombudsman and User Trust

5 thoughts on “Google Users Who Want to Use 2-Factor Protections — But Don’t Understand How”

  1. I am one of those who is unwilling to give Google my phone number. No corporation can be trusted with a phone number, especially one that can also handle text messaging. I also do not use GMail. My primary use of Google is Drive for documents. Is there a way to use two-factor at all?

    Separately, how can I report to Google, spam originating from Google, without being in GMail? I especially see this at work, where role email addresses receive Google-originated spam. Those role accounts do not, and should not, have a GMail account. Those role accounts cannot send, and should not be able to send, email. (Given the nature of SMTP, it is eminently possible to forge email from such an account, but even then, there’s nowhere to send that email: Google is remarkably unwilling to let anyone talk to it from outside.) Is there a way to tell Google they have an account that’s generating spam when the spam gets sent to a receive-only email address which is not on any Google system?

    1. Frankly, I think you’re being rather silly with a blanket “no corporation can be trusted” meme. In fact, Google can be trusted with your phone number. Think about it — at Google’s scale, if they did “bad things” with phone numbers, you’d be hearing about some such cases in the tech news pretty much every day. You don’t hear such stories about Google, because Google doesn’t abuse the phone numbers. Case closed. As for reporting Gmail spam to a non-Gmail account, use this link:

      1. Google has already demonstrated untrustworthiness with a phone. I have an Android phone, specifically a Samsung Galaxy S5 Sport. If I leave location services turned on, I will get requests — so far as I can tell, from Google — to provide photos of various retail places I visit. (I normally leave location services disabled, but sometimes I turn them on for a specific purpose and then forget to turn them back off.) I see no reason to believe Google would behave any better with an actual phone number.

        1. I fail to see the problem. If you want location services off, turn them off. If you want them on, turn them on. If you don’t want to participate in location photo submissions, either ignore the requests or disable them by turning off notifications in the Google Maps app settings.

      2. Phone number 2FA does two big things – connects your account to The Real World (unless you’re really good at using burner phones, or have magically found a VOIP service that accepts text messages and is either free or accepts Bitcoins), and allows correlation between accounts (unless you’re using multiple burner-phone SIMs or multiple accounts on the magical free VOIP service.)

        (And (green checkmark) I’m not a robot.)

Comments are closed.